SECURITY · April 12, 2026 · 12 min read

M365 Security Assessment: Conditional Access, Purview Labels, and the Audit Gaps Auditors Hate

Most CISOs we talk to know their Microsoft 365 security posture is "probably fine" but cannot prove it on demand. The Secure Score dashboard in the M365 admin center is a confidence-building exercise — it tells you what you have done, not what you have missed. The annual SOC 2 audit asks you to produce evidence that MFA coverage is at 100%, that the Global Admin count is below five, that sensitivity labels are deployed and protected with encryption, and that audit logging is enabled and retained — and you have one week to compile twelve PDFs to satisfy the auditor.

The M365 Security Assessment is the read-only scan that produces that evidence in five minutes. This post explains what it covers, why each check matters, and how a CA$399 one-time purchase compares to the $10K-and-up alternatives.

The Three Modules That Run

The M365 Security Assessment is a focused subset of the six governance modules — three modules selected for their relevance to a CISO-level posture review:

1. Identity & Conditional Access (the headline)

This is the module that answers the questions every M365 security audit asks first. We pull the Conditional Access policies via the Graph identity endpoint, then evaluate them against the baseline you would want to see in any production tenant:

• MFA coverage — every CA policy that requires MFA, every user group it targets, and the gaps between them (the user populations NOT covered by any MFA policy)
• Global Admin count — pulled from /directoryRoles. Microsoft's recommendation is fewer than five. Tenants we scan typically have 12 to 30. Each one is a credential that, if compromised, walks the attacker through every other security control.
• Guest user ratio — pulled from /users?$filter=userType eq 'Guest'. A tenant with a 40% guest ratio has a fundamentally different attack surface than one with a 5% guest ratio, and the CA policies governing guest sign-ins matter much more.
• Conditional Access blockers — policies that exist but are in report-only mode, policies that are disabled, policies that exclude critical user groups via "exclude" clauses, and policies whose "include" clauses are "All users" but whose "exclude" clauses neutralize 60% of the user base
• Service account exclusions — service accounts that bypass MFA, the rationale documented (or not), and whether they have privileged role assignments

The module emits findings prioritized by impact. IDC-001 (Must Do Before Copilot) fires when MFA coverage is below 100%. IDC-002 fires when Global Admin count is greater than five. IDC-003 fires when there is no Conditional Access policy targeting guest sign-ins. Each finding has a Microsoft Docs link to the documented remediation steps and an effort estimate.

2. Purview Current State (the data classification audit)

Sensitivity labels are the layer that makes Microsoft Purview Information Protection effective. A tenant with no labels deployed has no way to mark a document as Confidential — Internal Only and have that designation flow through to encryption-at-rest, watermarking, and the Copilot exclusion ruleset. A tenant with labels deployed but not protected with encryption has the visual marking but not the technical enforcement.

The Purview module pulls the published sensitivity labels via the Graph informationProtection endpoint, evaluates whether each label has encryption configured, checks the auto-labeling policies, and flags the tenants where labels exist but are not actually being applied. We handle the case where the endpoint is not accessible (some Microsoft regions and some license tiers do not expose this) by emitting a manual verification finding instead of crashing the run — see PUR-000 for the diagnostics flow.

Why this matters for security: if your tenant has Confidential and Highly Confidential labels deployed and protected with encryption, then any document tagged with one of those labels gets excluded from Copilot semantic search by default. That is the only mechanism today that prevents Copilot from surfacing sensitive content to users who technically have read access via SharePoint permissions but should not see it in an AI search context. If labels are not deployed, Copilot has no exclusion list and surfaces every accessible document.

3. Licensing & Infrastructure (the Entra P1/P2 + audit log readiness check)

Several security controls require specific Entra ID / Microsoft 365 license tiers. Conditional Access requires at least Entra ID P1 (formerly Azure AD Premium P1). Identity Protection (the risk-based sign-in policies) requires P2. Audit log retention beyond 90 days requires E5 / Microsoft 365 Audit Premium add-on. The Licensing module pulls /subscribedSkus and computes which security capabilities the tenant can use given the licenses purchased.

This is the module that catches the "we bought Conditional Access but never deployed it" tenants and the "we are doing risk-based sign-in policies but only have P1" tenants (which means the policies look configured but never actually fire because the underlying capability is gated behind P2).

What the Findings Look Like

Common findings on the tenants we scan:

IDC-001 (Must Do Before Copilot): 1,247 of 1,500 users (83%) are covered by an MFA Conditional Access policy. The remaining 253 users are in a group named "Service Accounts" that is excluded via the policy's exclusion clause. Recommended: review the exclusion list and convert genuine service accounts to managed identities; the rest should be re-included in the MFA policy.

IDC-002 (Must Do Before Full Rollout): 18 users hold the Global Administrator role. Microsoft recommends fewer than five. Recommended: review each Global Admin and downgrade to a lesser-privileged role (Exchange Admin, SharePoint Admin, etc.) where the broader privilege is not actually required.

IDC-003 (Must Do Before Copilot): 247 guest users in tenant. No Conditional Access policy targets guest sign-ins specifically. Recommended: create a "Require MFA for guests" CA policy targeting userType eq 'Guest' with the MFA grant control.

PUR-001 (Must Do Before Copilot): Tenant has 0 published sensitivity labels with encryption configured. Without labels, Copilot has no exclusion list and will surface every document the user technically has read access to. Recommended: deploy at least Confidential + Highly Confidential labels with encryption and configure auto-labeling for content matching common sensitivity patterns (financial data, PII, source code).

LIC-003 (Nice to Have): Tenant has Microsoft 365 E3 but no Microsoft 365 E5 Audit Premium add-on. Audit logs retained for the standard 90 days, not the extended 1 year. Recommended for SOC 2 compliance: purchase the Audit add-on or upgrade to E5.

Why a Security-Focused Subset (Not All Six Modules)

A CISO doing a focused security review does not need the SharePoint Permissions Anyone-link inventory or the Teams sprawl report. Those are governance findings, not security findings. The M365 Security Assessment runs only the three modules whose findings map cleanly to a security audit checklist: Identity, Purview, and Licensing.

The buyer is different. A CISO wants the CA policy review, the admin count, the labels posture, and the audit log readiness check — all in one PDF that is prioritized, scored, and ready to hand to the SOC 2 auditor. They do not need the full six-module M365 Complete report. The Security Assessment gives them exactly the three modules at the same CA$399 price as any other single-product assessment. If they want the broader governance picture too, the Microsoft 365 Complete Bundle at CA$1,599 includes Security plus all the other product assessments.

How This Compares to the Alternatives

The M365 security audit market splits into four buckets:

• Microsoft Secure Score (free) — built into the M365 admin center. Tells you a number out of 800 and a list of recommendations. Excellent surface-level signal but not auditor-ready (no per-finding remediation steps, no priority weighting, no exportable report).
• Microsoft 365 Defender + Sentinel — native, expensive, requires E5 + Sentinel SKUs and ongoing SOC operations. Built for active threat hunting, not point-in-time posture reviews.
• Third-party SIEM and posture management — Vanta, Drata, Secureframe, Tenable, Wiz. Built for continuous compliance monitoring with monthly contracts ($500–$5,000+ per month per tenant). Overkill for a one-time audit.
• Big-4 consulting engagements — KPMG, Deloitte, EY, PwC, Spyglass. Microsoft 365 security reviews bid at $15K to $50K per engagement, two to four weeks to deliver.

The M365 Security Assessment at CA$399 sits in the empty slot between "free but not auditor-ready" and "$15K minimum." It produces the same kind of evidence the consulting engagement would produce — prioritized findings, scoring rubric, owner assignments, Microsoft Docs links, exportable PDF — at 1.5% of the cost and in five minutes instead of two weeks.

Read-Only by Architecture

The scan is 100% read-only. The Microsoft Graph client has a write guard at the client level: any HTTP verb other than GET raises an exception before the request leaves the process. The service account is granted exactly fourteen read-only Graph application scopes. Findings are stored encrypted at rest with AES-256-GCM. The scan completes in three to five minutes.

For a security team doing the scan against a customer's tenant during a vendor security review, the read-only architecture means the customer's security team can approve the scan in an afternoon instead of two weeks of back-and-forth on what the tool will do.

How to Run It

Free Snapshot first — view-only score, four-state verdict, one sample finding, one snapshot per tenant per month per product, no credit card. If the answer is "yes my tenant has security gaps," the CA$399 single assessment unlocks the full per-policy CA review, the admin count breakdown, the labels deployment matrix, and the JSON / HTML / CSV exports for 90 days.

Read more: M365 Security Assessment product page · Copilot Readiness deep-dive · The Complete Bundle